In my previous blog, I spoke about 3 Knowledge objects: Splunk Timechart, Data model and Alert that were related to reporting and visualizing data. In case you want to have a look, you can refer here. In this blog, I am going to explain Splunk Events, Event types and Splunk Tags. These knowledge objects help to enrich your data in order to make them easier to search and report on.So, let’s get started with Splunk Events.

Splunk Events

An event refers to any individual piece of data. The custom data that has been forwarded to Splunk Server are called Splunk Events. This data can be in any format, for example: a string, a number or a JSON object.

Let me show you how events look in Splunk:

As you can see in the above screenshot, there are default fields (Host, Source, Sourcetype and Time) which gets added after indexing. Let us understand these default fields:

Host: Host is a machine or an appliance IP address name from where the data comes. In the above screenshot, My-Machine is the host.

Source: Source is where the host data comes from. It is the full pathname or a file or directory within a machine. For example: C:Splunkemp_data.txt

Sourcetype: Sourcetype identifies the format of the data, whether it is a log file, XML, CSV or a thread field. It contains the data structure of the event.For example: employee_data

Index: It is the name of the index where the raw data is indexed. If you don’t specify anything, it goes into a default index.

Time: It is a field which displays the time at which the event was generated. It is barcoded with every event and cannot be changed. You can rename or slice it for a period of time in order to change its presentation.For example: 3/4/16 7:53:51 represents the timestamp of a particular event.

Now, let us learn how Splunk Event types help you to group similar events.

Splunk Event Types

Assume you have a string containing the employee name and employee ID and you want to search the string using a single search query rather than searching them individually. Splunk Event types can help you here. They group these two separate Splunk events and you can save this string as a single event type (Employee_Detail).

Splunk event type refers to a collection of data which helps in categorizing events based on common characteristics.

It is a user-defined field which scans through huge amount of data and returns the search results in the form of dashboards. You can also create alerts based on the search results.

Do note that you cannot use a pipe character or a sub search while defining an event type. But, you can associate one or more tags with an event type. Now, let us learn how these Splunk event types are created. There are multiple ways to create an event type:

Using Search

Using Build Event Type Utility

Using Splunk Web

Configuration files (eventtypes.conf)

Let us go into more detail to understand it properly:1. Using Search: We can create an event type by writing a simple search query.Go through the below steps to create one: > Run a search with the search stringFor Example: index=emp_details emp_id=3;> Click Save As and select Event Type.You can refer to the below screenshot to get a better understanding:

2. Using Build Event Type Utility: The Build Event Type utility enables you to dynamically create event types based on Splunk events returned by searches. This utility also enables you to assign specific colors to event types.

You can find this utility in your search results. Let’s go through the below steps: Step1: Open the dropdown event menu Step2: Find the down arrow next to the event timestampStep3: Click Build event typeOnce you click on ‘Build Event Type’ displayed in the above screenshot, it will return the selected set of events based on a particular search.

3. Using Splunk Web: This is the easiest way to create an event type. For this, you can follow these steps: » Go to Settings » Navigate to Event Types » Click New

Let me take the same employee example to make it easy. Search query would be same in this case: index=emp_details emp_id=3

Refer to the below screenshot to get a better understanding:

4. Configuration files (eventtypes.conf):You can create event types by directly editing eventtypes.conf configuration file in $SPLUNK_HOME/etc/system/local For Example: “Employee_Detail”Refer to the below screenshot to get a better understanding:

By now, you would have understood how event types are created and displayed. Next, let us learn how Splunk tags can be used and how they bring clarity to your data.

Splunk TagsYou must be aware of what a tag means in general. Most of us use the tagging feature in Facebook to tag friends in a post or photo. Even in Splunk, tagging works in a similar fashion. Let’s understand this with an example. We have an emp_id field for a Splunk index. Now, you want to provide a tag (Employee2) to emp_id=2 field/value pair. We can create a tag for emp_id=2 which can now be searched using Employee2.

Splunk tags are used to assign names to specific fields and value combinations.

It is the simplest method to get the results in pair while searching. Any event type can have multiple tags to get quick results.

It helps to search groups of event data more efficiently.

Tagging is done on the key value pair which helps to get information related to a particular event, whereas an event type provides the information of all the Splunk events associated with it.

You can also assign multiple tags to a single value.

Look at the screenshot on right side to create a Splunk tag.

Go to Settings -> Tags

Now, you might have understood how a tag is created. Let us now understand how Splunk tags are managed. There are three views in Tag Page under Settings: 1. List by field value pair2. List by tag name3. All unique tag objects

Let us get into more details and understand different ways to manage and get quick access to associations that are made between tags and field/value pairs.1. List by field value pair: This helps you to review or define a set of tags for a field/value pair. You can see the list of such pairings for a particular tag.Refer to the below screenshot to get a better understanding:

2. List by tag name: It helps you to review and edit the sets of field/value pairs. You can find the list of field/value pairing for a particular tag by going to ‘list by tag name’ view and then click on the tag name. This takes you to the detail page of the tag. Example: Open the detail page of employee 2 tag.Refer to the below screenshot to get a better understanding:

3. All unique tag objects: It helps you to provide all the unique tag names and field/value pairings in your system. You can search a particular tag to quickly see all the field/value pairs with which it’s associated. You can easily maintain the permissions, to enable or disable a particular tag.

Refer to the below screenshot to get a better understanding:

Now, there are 2 ways to search tags:

If we need to search a tag associated with a value in any field, we can use: tag=<tagname> In the above example, it would be: tag=employee2

If we are looking for a tag associated with a value in a specified field, we can use: tag::<field>=<tagname> In the above example, it would be: tag::emp_id=employee2

In this blog, I have explained three knowledge objects (Splunk events, event type and tags) that help to make your searches easier. In my next blog, I will explain some more knowledge objects like Splunk fields, how field extraction works and Splunk lookups. Hope you enjoyed reading my second blog on knowledge objects.

Do you wish to learn Splunk and implement it in your business? Check out our Splunk certification training here, that comes with instructor-led live training and real-life project experience.